Member-only story
What exactly is asymmetric routing?
Communication in which outbound packets and return packets take different routes L3 devices. Firewall manages communication sessions and is incompatible with asymmetric routing.
For example, even if there is no outgoing packet, even if only the returning packet comes, the communication consistency will not match and it cannot be determined whether the communication should be permitted. In addition, the UTM function that checks the security by looking at the contents of communication is also disabled. In some cases, PING can be passed but TCP communication cannot be performed. This is because TCP is more rigorous in checking because it performs stateful communication. Therefore, communication confirmation should not rely solely on PING, but should also be confirmed by TCP as much as possible.
As shown in the draw above, going arrives at the server from the LAN interface through the DMZ interface, but returning communicates directly with the PC on the LAN side from the server and does not pass through FortiGate.
In this way, FortiGate communicates between different interfaces, and if either going or returning communication does not pass through FortiGate, FortiGate will block the next packet and communication will not be possible.
